A WordPress reservation plugin has a vulnerability that allows unauthenticated hackers to access reservation data stored by site owners.

An easy-to-exploit bug impacting the WordPress plugin ReDi Restaurant Reservation allows unauthenticated attackers to pilfer reservation data and customer personal identifiable information by simply submitting a malicious snippet of JavaScript code into the reservation comment field.

The bug affects ReDi Restaurant Reservation versions prior to 21.0307, with a patched (v. 21.0426) version of the plugin available for download. The vulnerability (CVE-2021-24299) is a persistent cross-site scripting (XSS) bug. The flaw is not yet rated.

A public proof-of-concept disclosure of the ReDi bug was released Sunday with the official public disclosure delayed a month “due to the severity of the vulnerability,” according to Bastijn Ouwendijk, credited for finding the bug. The researcher alerted the makers of the plugin, Catz Soft, on April 15. A fix was available on April 25.“[The bug] makes it possible for malicious attackers to, for example, steal the plugin API-key and potentially steal information about customers that made reservations, steal cookies or other sensitive data,” according Ouwendijk in a technical breakdown and proof of concept of the bug posted Sunday.

Leaky application programming interface (API) keys have been a popular target of hackers in dozens of attacks and been responsible for even more vendor fixes. Twitter, Imperva’s Cloud Web Application Firewall and recently 30 popular mHealth apps have each grappled with insecure API key issues.

Easily Exploit Bug

A review of the ReDi Restaurant Reservation plugin bug shows how an adversary can launch an attack simply by using a JavaScript payload – one that has fewer than 250 characters – to exploit the XSS bug.

Technical Write-up on CVE-2021-24299“How does this vulnerability work? The plugin provides users the functionality to book a reservation for the restaurant. A user just has to visit the reservation page,” the researcher explained. Next, the attacker makes a reservation and in the “Comment” field inputs the malicious JavaScript. Because the text and JavaScript code is not sanitized, or rendered harmless, the user comment data “is processed and saved to local variables.”

“Next, the saved variables are pushed to the database. Also note here that variables are not sanitized or validated before being pushed to the database. This means the strings we submit through the form for the variables UserName, UserPhone, UserEmail and UserComments will be saved to the database without changes,” the researcher wrote.

The payload is executed when a WordPress site administrator or restaurant owner views the reservations through the platform’s own webpage.

“This is a webpage where you can view the reservations made for a specific time period. This page isn’t a WordPress webpage, but an external page that is loaded within an iframe, as can be seen in the PHP code,” the researcher said.

PHP (Hypertext Preprocessor) is scripting language used for generating dynamic content executed on a web server.

“The url that is loaded within the iframe takes the url https[://]upcoming.reservationdiary[.]eu/Entry/ and appends it with the API-key that is registered in your ReDi Restaurant Reservation plugin. When visiting this url, it shows all the made reservations for a specific time period,” Ouwendijk wrote.

The publishers of the plugin, Catz Soft, did not reply to requests for comments. The researcher, Ouwendijk, did not reply to specific technical questions regarding this bug.

Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.